In a conventional data processing system, an application may use a so-called “logical address” to access memory. The operating system (OS) may translate that logical address into a linear address. For instance, a running process may use logical addresses, and when instructions in that process request access to memory, the OS may use descriptor tables to translate the logical addresses into linear addresses. A linear address may also be referred to as a virtual address.
Furthermore, the data processing system may include a central processing unit (CPU) with a memory management unit (MMU), and the OS may use that MMU to translate virtual addresses into physical addresses. For instance, the MMU may provide for a page directory for each active process, and one or more page tables for each page directory. In particular, the page tables may include a page table entry (PTE) for each page of virtual memory, to identify the corresponding physical page. In general, the MMU may store the page directory and the page tables in random access memory (RAM), but the MMU may use a translation lookaside buffer (TLB) to cache recently used PTEs. The MMU may also use other hardware resources (e.g., descriptor tables) to service memory access requests. For example, a control register (CR) in the CPU (e.g., CR3) may point to the physical address of the page directory for the current process. When the data processing system allows the OS to access the MMU directly, the page tables referenced above may be referred to as OS page tables.
Unfortunately, an OS may be infected with malware. And if the OS has access to all of the data stored in memory, the OS may wreak all kinds of havoc with the system. For instance, in a rooted kernel, the attacker can compromise the security of the system by modifying the entries in the page table, for instance changing a PTE to point to some malicious code. This kind of change can lead to code injection, and the malware can thereby gain access to critical data.